Target IP: 10.10.199.21
There are two TCP ports open on the target machine: SSH and HTTP.
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 340efe0612673ea4ebab7ac4816dfea9 (RSA) | 256 49611ef4526e7b2998db302d16edf48b (ECDSA) |_ 256 b860c45bb7b2d023a0c756595c631ec4 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: House of danak |_http-server-header: Apache/2.4.29 (Ubuntu)
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 340efe0612673ea4ebab7ac4816dfea9 (RSA)
| 256 49611ef4526e7b2998db302d16edf48b (ECDSA)
|_ 256 b860c45bb7b2d023a0c756595c631ec4 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: House of danak
|_http-server-header: Apache/2.4.29 (Ubuntu)
Port 80: HTTP
The webpage above is displayed for this web application running on port 80.
The source code of the page contains the HTML comment above. There is a possible username called john.
The /uploads directory is public accessible if the Uploads button is pressed on the website... It contains three files: dist.lst, manifesto.txt, and meme.jpg. The first file contains a list of possible passwords which is the most interesting. I saved this wordlist on my machine.
Performing a directory search shows the entries above. The /secret sounds interesting.
The /secret page contains the SSH key above. Does this belong to the user john? This key is encrypted, so I will use ssh2john to obtain the passphrase. Maybe I can run it against the wordlist I encountered before.
I copied the SSH key to my machine and used ssh2john to crack the passphrase using the wordlist from before. I obtained the password letmein. I also changed the permission of the key to 400, so I can use it.
And now I have a foothold on the target machine using the SSH key belonging to the user john. Running id shows this user belongs to the group lxd which is an easy vector to gain root!
Gaining a root shell is simple. I followed the guide from this article. The commands I exeucted are highlighted in yellow in the picture above.
The user.txt flag after gaining a foothold on the machine.
The root.txt flag which is inside the mnt/root/root directory after exploiting the lxd group.